OAuth and OpenID Connect for Microservices

Nordic APIs Platform Summit 2014. Presenter: Jacob Ideskog

Tecnologia

OAuth and OpenID Connect for Microservices
A homogenous solution for a heterogeneous problem!
Jacob Ideskog – Identity Specialist at Twobo Technologies!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Copyright © 2014 Twobo Technologies AB. All rights reserved
A Traditional Service

With Traditional Subsystems
Copyright © 2014 Twobo Technologies AB. All rights reserved
Component C
Component D
Component A
Component B

… and traditional scalability
Copyright © 2014 Twobo Technologies AB. All rights reserved

But this is not always how we build systems
Copyright © 2014 Twobo Technologies AB. All rights reserved

A microservice
Copyright © 2014 Twobo Technologies AB. All rights reserved

Many microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

Scaling microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

So what’s the problem?
Copyright © 2014 Twobo Technologies AB. All rights reserved

Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved

Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository

So for microservices that would mean
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository

Not fantastic!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Lets talk about OAuth
It’s not for Authentication
…and not for Authorization
OAuth is a scalable delegation protocol
Copyright © 2014 Twobo Technologies AB. All rights reserved

OAuth has 4 actors
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The client requests access
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The AS requires the RO to authenticate
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The AS issues the tokens
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The Client presents the token to the RS
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The RS validates the Token
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

Access!
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

One very important thing"
"
- The Client knows nothing about the user
Copyright © 2014 Twobo Technologies AB. All rights reserved

Open ID Connect"
(Simplified)
Copyright © 2014 Twobo Technologies AB. All rights reserved

Request Access
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Get Redirected to AS
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Challenged
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Now – an ID Token ( ) is also given
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Sessions can be created (SSO)
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Tada!
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

What was interesting there?
Copyright © 2014 Twobo Technologies AB. All rights reserved

TRUST
Copyright © 2014 Twobo Technologies AB. All rights reserved

The ID Token is a JWT"
(JSON Web Token)
Copyright © 2014 Twobo Technologies AB. All rights reserved

$A signed JSON document { } { "iss": "https://fs.oidc.net", "x5t": "5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865", "typ": "JWT", "alg": "RS256” "sub": "janedoe", "name" : "Jane Doe", "email" : "jane@doe.com", "phone_number" "+46 (0) 12345678", "aud": "https://mymail.com", "iss": "https://fs.oidc.net", "nbf": 1409213888783, "jti": "622a9973-‐fc4d-‐4797-‐be31-‐7c2116f549df", "exp": 1409213890583, "iat": 1409213888783 } Copyright © 2014 Twobo Technologies AB. All rights reserved Certificate Signature orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0 WvP1UzXZA_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk6 93XDAz15Y4aP9DeD62nROzd1MS4FZTmY3Cgzo1-3- sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Ri f7cWu4olme_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX 7Xqs_FPXY1PZLXLbc3ARXFmRf_- Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA$

OAuth Access Tokens can also be JWTs
Copyright © 2014 Twobo Technologies AB. All rights reserved

2 types of tokens
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
By Value
By Reference

By Reference
Contains NO information outside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe

Contains ALL necessary information
Copyright © 2014 Twobo Technologies AB. All rights reserved
By Value

External vs. Internal
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API

Token Translation
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API

Back to Microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

2 Problems"
"
- Identifying the user"
- Creating sessions"
Copyright © 2014 Twobo Technologies AB. All rights reserved

Leave authentication to the OAuth/OIDC server
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)

Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved

BUT…"
"
Translate!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Reverse Proxy
123
XYZ

- everything is self contained"
- standards based"
- non-reputable"
- scalable
Copyright © 2014 Twobo Technologies AB. All rights reserved
Conclusion

Copyright © 2014 Twobo Technologies AB. All rights reserved
Thank you!

Mais conteúdo relacionado

Mais procurados

1400 ping madsen-nordicapis-connect-01

Authorization The Missing Piece of the Puzzle

OpenID Connect Explained

Vladimir Dzhuvinov

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

Launching a Successful and Secure API

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

An Authentication and Authorization Architecture for a Microservices World

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Open APIs - Risks and Rewards (Øredev 2013)

Designing an API

OAuth & OpenID Connect Deep Dive

In this talk, Daniel Lindau, Solution Architect at Curity, will show how OAuth can be integrated into Single Page Applications (SPAs) using the assisted token flow — a new OAuth message exchange pattern introduced at IETF 101. He will contrast it with implicit flow and show how framing, token storage, and other nuances are handled using this new alternative flow. He will highlight the use of the HTML postMessage interface for passing tokens (vis-a-vis redirects used by other flows). He will also demo how this protocol can be used with various JavaScript frameworks, like JQuery, in just a few lines of code. He will conclude by giving a state of the draft and its future.

OpenID Connect 1.0 Explained

Eugene Siow

OAuth Assisted Token Flow for Single Page Applications

Single Sign On with OAuth and OpenID

Gasperi Jerome

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

Twobo LDAP Attribute Store for ADFS

Save 10% off ANY FITC event with discount code 'slideshare' See our upcoming events at www.fitc.ca Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate. Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014 More info at FITC.ca

Authentication and Authorization Architecture in the MEAN Stack

FITC

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

ID連携入門 (実習編) - Security Camp 2016

Nov Matake

Mais procurados (20)

1400 ping madsen-nordicapis-connect-01

Authorization The Missing Piece of the Puzzle

OpenID Connect Explained

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

Launching a Successful and Secure API

An Authentication and Authorization Architecture for a Microservices World

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Open APIs - Risks and Rewards (Øredev 2013)

Designing an API

OAuth & OpenID Connect Deep Dive

OpenID Connect 1.0 Explained

OAuth Assisted Token Flow for Single Page Applications

Single Sign On with OAuth and OpenID

Mit 2014 introduction to open id connect and o-auth 2

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Twobo LDAP Attribute Store for ADFS

Authentication and Authorization Architecture in the MEAN Stack

LASCON 2017: SAML v. OpenID v. Oauth

CIS 2015 OpenID Connect and Mobile Applications - David Chase

ID連携入門 (実習編) - Security Camp 2016

Destaque

This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices

Stateless authentication for microservices

When implementing applications using a microservice architecture, concerns of authenticating and authorising end-users or other services requires a different approach, especially when scalability and no single points of failure is in mind. I’d like to talk about some “lessons learned” in the past few years and show a few ideas how to deal with these concerns. About David Borsos David is a Senior Consultant for OpenCredo having joined the company as a consultant in 2013. David works on a number of technical engagements for OpenCredo and has a several years experience working in the financial industry, developing web-based enterprise applications, mostly of internally used tools that supported the maintenance and operations of a large IT infrastructure.

Microservices Manchester: Authentication in Microservice Systems by David Borsos

OpenCredo

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Securing RESTful APIs using OAuth 2 and OpenID Connect

Jonathan LeBlanc

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

Stateless authentication for microservices - Spring I/O 2015

This talk is about how to secure your frontend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications, when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. We will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Note: images are courtesy of Shutterstock.com

Testing strategies for micro services - Ketan Soni, Jesal Mistry, ThoughtWorks

Thoughtworks

Nginx Scripting - Extending Nginx Functionalities with Lua

Tony Fabeen

The Role of Enterprise Integration in Digital Transformation

Kasun Indrasiri

What is API's

John Pereless

Stateless token-based authentication for pure front-end applications

Software security is hard. Software security in Microservice Systems is even harder. Microservice-style software architectures have steadily been gaining popularity in recent years. They offer many benefits over traditional monolithic software products, however they also introduce new challenges - one of these being security. In recent years David has worked on this problem in several independent projects, and this talk will draw on his learnings within the topic of authenticating end-users. David will describe, compare and evaluate several authentication options from the perspective of how secure they are and how well they comply with the qualities of a well-designed microservice system. You will leave the talk with suggested evaluation criteria and guidance for implementation based on their use cases.

OAuth2 and Spring Security

Orest Ivasiv

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

DevSecOps in Baby Steps

Priyanka Aash

[参考情報] 【永久保存版】OAuth 2.0 / OpenID Connect シーケンスまとめ URL：https://qiita.com/kura_lab/items/812a62b5aa3427bdb49d タイトル：『OpenID Connect 入門〜コンシューマー領域におけるID連携のトレンド〜』概要：コンシューマー領域におけるID連携のトレンドであるOpenID Connectの概要と仕様のポイントについてご紹介します。 OpenID TechNight Vol.13 - ID連携入門 Aug. 26, 2015 URL：https://openid.doorkeeper.jp/events/29487

OpenID Connect 入門〜コンシューマーにおけるID連携のトレンド〜

Masaru Kurahayashi

Analyzing OAuth

Oliver Pfaff

Modern authentication solutions in Angular 2 with OAuth 2.0 and OpenId Connect

Manfred Steyer

SäKerhet I Molnen

Predrag Mitrovic

I den här presentationen diskuteras begreppet tjänsteplattform, e-tjänsteplattform, "kommunal tjänsteplattform" och vad den plattformen egentligen behöver innehålla för att svara upp mot en hållbar e-utveckling. Med hållbar avses här att göra rätt från början, att inte måla in sig i ett hörn, att inte hamna i en återvändsgränd - bara för att man inte hade hela bilden klart för sig när man startade. Och det går att börja smått, ändå. Med enkla e-tjänster.

Tjänsteplattform i mtg - 2014 02-05

Advania

2. Day 2 - Identify and SSO

Huy Pham

Stateless authentication for microservices - Greach 2015

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

Destaque (19)

Stateless authentication for microservices

Microservices Manchester: Authentication in Microservice Systems by David Borsos

Securing RESTful APIs using OAuth 2 and OpenID Connect

Stateless authentication for microservices - Spring I/O 2015

Testing strategies for micro services - Ketan Soni, Jesal Mistry, ThoughtWorks

Nginx Scripting - Extending Nginx Functionalities with Lua

The Role of Enterprise Integration in Digital Transformation

What is API's

Stateless token-based authentication for pure front-end applications

OAuth2 and Spring Security

muCon 2016: Authentication in Microservice Systems By David Borsos

DevSecOps in Baby Steps

OpenID Connect 入門〜コンシューマーにおけるID連携のトレンド〜

Analyzing OAuth

Modern authentication solutions in Angular 2 with OAuth 2.0 and OpenId Connect

SäKerhet I Molnen

Tjänsteplattform i mtg - 2014 02-05

2. Day 2 - Identify and SSO

Stateless authentication for microservices - Greach 2015

Semelhante a OAuth and OpenID Connect for Microservices

Securing your Rails application

clucasKrof

Razorfish 2014 Tech Summit - Senior Principal Scientist at Adobe Roy Fielding

Razorfish

OAuth in the Real World featuring Webshell

CA API Management

DevOps, CD and [Data] Microservices

Fred Melo

OAuth2 - The Swiss Army Framework

Brent Shaffer

Microservices architecture

Daniel Foo

Mule4 EAIESB Meetup

Vijay Reddy

OGDC 2014_Cross platform mobile game application development_Mr. Makku J.Kero

ogdc

OGDC 2014: Cross Platform Mobile Game Application Development

GameLandVN

POOQ - Content Alliance Platform is the primary OTT service provider in Korea. In this session, we discuss how Content Alliance Platform migrated its workloads to AWS this year using AWS Elemental Cloud, Amazon CloudFront, and other AWS services. After their initial migration, Content Alliance Platform has continuously optimized video transcoding for better quality and cost-effective delivery using CloudFront. To achieve this, they developed various video profiles using AWS Elemental Live, according to the content, by using various CloudFront features, such as geo-blocking, signed cookies and URLs, and HTTPS with ACM, and by adopting various new media technologies, such as H.265, UHD, VBR, and HFR. Finally, we discuss how Content Alliance Platform is developing its next generation of OTT services using microservice architecture with Docker.

CTD303_Korea’s Largest OTT provider

Amazon Web Services

The primary goals of this session are to: Do a deep dive into the CF architecture via animated slides illustrating push, stage, deploy, scale, and health management. Also do a brief dive into BOSH, including why BOSH, what it is, and animations of how it works. It’s not an operations focused workshop, so we keep the treatment light. Discuss the value adds to CF BOSH OSS that Pivotal brings through the Pivotal Ops Manager product and our associated ecosystem of data and mobile services. Quickly prove that I can push an app to a Pivotal CF environment running on vCHS in the same exact way I can push an app to PWS. Pivotal Cloud Platform Roadshow is coming to a city near you! Join Pivotal technologists and learn how to build and deploy great software on a modern cloud platform. Find your city and register now http://bit.ly/1poA6PG

Part 2: Architecture and the Operator Experience (Pivotal Cloud Platform Road...

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Akana

Cloud native Microservices using Spring Boot

Sufyaan Kazi

Platform Security that will Last for Decades (Travis Spencer)

To Microservices and Beyond

Simon Elisha

Pivotal CenturyLink Cloud Platform Seminar Presentations: Architecture & Oper...

The primary goals of this presentation are to: - Show how to easily deploy Pivotal Cloud Foundry to CenturyLink Cloud with CenturyLink’s Blueprint technology - Do a deep dive into the CF architecture via animated slides illustrating push, stage, deploy, scale and health management. - Discuss in depth how Pivotal Cloud Foundry simplifies many traditional operator concerns such as managing application updates, availability, user/quota management and monitoring. - Provide a brief introduction to BOSH, including why BOSH, what it is and animations of how it works. - Discuss the value adds to CF BOSH OSS that Pivotal brings through the Pivotal Ops Manager product and our associated ecosystem of data and mobile services.

Architecture & Operations

By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn: • The top ways hackers exploit APIs in the wild • Common identity pitfalls and how to avoid them • Why OAuth scopes are essential to master • How to keep web developers from bringing bad habits with them

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

CA API Management

Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge

Mark Roberts

Keynote delivered by Casey Hadden, Software Developer and Architect at SAS. SAS is a software vendor with 35+ years of industry history (and 35+ years of software decisions). From mainframes, Unix workstations, and client-server to web applications, big data, and cloud; one constant has been the changing computing environment. Throughout these eras, SAS software and the SAS business has adapted to each change in order to deliver valuable analytics to our customers. With cloud environments firmly ensconced and PaaS gaining traction every day, how does SAS rework its software and business again to compete and thrive in this environment? How can SAS help to fill in the 'Analytics' portion of an enterprise PaaS strategy?

The Fantastic Voyage to PaaS - Are we there yet? (Cloud Foundry Summit 2014)